Systems and methods for transferring resource access

ABSTRACT

Systems and methods for transferring resource access from a sender to a recipient are disclosed that can allow a sender to specify an amount of a resource to provide access to (e.g., an amount of money or an amount of access rights), while still providing security for the sender&#39;s sensitive credential information (e.g., PAN and/or PIN). These systems and methods can allow a sender to transfer resource access from any location and at any time of the day. In the case of money transfers, the recipient can quickly and directly obtain the money from any ATM location associated with any bank and at any time of the day, even without a bank account.

CROSS-REFERENCES TO RELATED APPLICATIONS

This application is a continuation of U.S. application Ser. No.15/701,871, filed on Sep. 12, 2017, which is a continuation applicationof U.S. application Ser. No. 15/156,633, filed on May 17, 2016, now U.S.Pat. No. 9,792,782, which are herein incorporated by reference in theirentirety for all purposes.

BACKGROUND

There are instances where a sender wants to quickly provide resourceaccess to a recipient. For example, a parent may want to provide moneyto their child at college without the parent being present. In anotherexample, a parent may want to give a child access rights to a housewithout the parent being present. However, the parent may not want togive the child full access to his or her payment or access credentials.In addition, the parent may want to ensure that only the child canobtain access to the resource, and not an unauthorized party. Thus,secure systems and methods for transferring resource access torecipients are needed.

An exemplary conventional resource access provider is a money transferagent. To send money, a sender goes to a location associated with themoney transfer agent. The sender pays the money transfer agent an amountof money to be transferred to the recipient plus a convenience fee, andprovides information about the recipient (e.g., the recipient's name).To receive the money transfer, the recipient must go to the same oranother location associated with the money transfer agent and provideidentification confirming the recipient's name.

There are many disadvantages associated with money transfer agents. Forexample, both the sender and the recipient must go to a locationassociated with the money transfer agent during business hours, whichmay not be convenient. In addition, the sender must either pay for themoney transfer using cash or a cashier's check, or provide sensitivecredentials to the money transfer agent (e.g., PAN, credit card number,bank account number, etc.). This increases the likelihood of fraudagainst the sender.

Embodiments of the invention address these and other problems,individually and collectively.

SUMMARY

Some embodiments of the present invention relate to systems and methodsfor transferring resource access from a sender to a recipient that canallow a sender to specify an amount of the resource to provide access to(e.g., an amount of money or an amount of access rights), while stillproviding security for the sender's sensitive credential information(e.g., PAN and/or PIN). These systems and methods can allow a sender totransfer resource access from any location and at any time of the day.In the case of money transfers, the recipient can quickly and directlyobtain the money from any ATM location associated with any bank and atany time of the day, even without a bank account.

According to one embodiment of the invention, a first request totransfer access to a resource from a sender to a recipient is received.The first request includes a credential associated with the sender and arecipient identifier. The credential is associated with a sender code. Atoken corresponding to the credential and a recipient code associatedwith the sender code are generated. The token and the recipient code aresent to the recipient using the recipient identifier. Thereafter, asecond request to access the resource is received. The second requestincludes the token and the recipient code. The token is translated intothe credential and the recipient code is translated into the sendercode. The second request is processed using the credential and thesender code.

Embodiments of the invention are further directed to a server computercomprising a processor and a memory element. The memory element cancomprise code, executable by the processor, for implementing the abovedescribed method.

These and other embodiments of the invention are described in furtherdetail below.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a block diagram of a system according to embodiments of thepresent invention.

FIG. 2 shows a block diagram of a communication device according toembodiments of the present invention.

FIG. 3 shows a block diagram of an application provider computeraccording to embodiments of the present invention.

FIG. 4 shows a block diagram of a transaction processing computeraccording to embodiments of the present invention.

FIG. 5 shows a flowchart of a method for transferring resource accessaccording to embodiments of the present invention.

FIG. 6 shows a block diagram of a building access system according toembodiments of the present invention.

DETAILED DESCRIPTION

Embodiments of the invention are directed to systems and methods fortransferring resource access from a sender to a recipient. The sendersubmits a request to transfer access to the resource, along with thesender's credential (e.g., debit account number) and a recipientidentifier (e.g., a mobile phone number). The sender's credential isassociated with a sender code (e.g., a PIN number). The request mayfurther specify an amount or quantity of the resource. For example, therequest may specify that $100 should be transferred to the recipientfrom the sender's debit account.

Once the request is received, a token is generated that corresponds tothe sender's credential, and a recipient code (e.g., a PIN number) isgenerated that is associated with the sender code. The token and therecipient code are sent to the recipient using the recipient identifier.For example, if the recipient identifier provided by the sender in therequest is a mobile phone number, the token and the recipient code canbe text messaged to the recipient, or communicated to the recipient in avoice call. In another example, if the recipient identifier provided bythe sender in the request is an e-mail address, the token and therecipient code can be e-mailed to the recipient.

At any point thereafter, the recipient can submit a request to accessthe resource, including the token and the recipient code. For example,the recipient can go to an ATM, enter the token and PIN number, andrequest withdrawal of the transferred funds. Once the request isreceived from the recipient, the token is translated into the sender'scredential, and the recipient code is translated into the sender code.Then, the recipient's request is processed using the sender's credentialand the sender code. For example, the recipient's request may beprocessed as a typical ATM withdrawal from the sender's debit account.

Before discussing specific embodiments and examples, some descriptionsof terms used herein are provided below.

An “acquirer” may typically be a business entity (e.g., a commercialbank) that has a business relationship with a particular merchant orother entity. Some entities can perform both issuer and acquirerfunctions. Some embodiments may encompass such single entityissuer-acquirers. An acquirer may operate an acquirer computer, whichcan also be generically referred to as a “transport computer”.

An “application provider” may be an entity that can provide a service orapplication. An example of an application provider is a digital walletprovider.

An “authorization request message” may be a message to requestauthorization for a transaction. An authorization request messageaccording to some embodiments may comply with (InternationalOrganization of Standardization) ISO 8583, which is a standard forsystems that exchange electronic transaction information associated witha payment made by a consumer using a payment device or payment account.The authorization request message may include an issuer accountidentifier that may be associated with a payment device or paymentaccount. An authorization request message may also comprise additionaldata elements corresponding to “identification information” including,by way of example only: a service code, a CVV (card verification value),a dCVV (dynamic card verification value), an expiration date, a PINnumber, etc. An authorization request message may also comprise“transaction information,” such as any information associated with acurrent transaction, such as the transaction amount, merchantidentifier, merchant location, etc., as well as any other informationthat may be utilized in determining whether to identify and/or authorizea transaction.

An “authorization response message” may be a message reply to anauthorization request message. The authorization response message mayinclude, by way of example only, one or more of the following statusindicators: Approval—transaction was approved; Decline—transaction wasnot approved; or Call Center—response pending more information, merchantmust call the toll-free authorization phone number. The authorizationresponse message may also include an authorization code, which may be acode that a credit card issuing bank returns in response to anauthorization request message in an electronic message (either directlyor through the payment processing network) to the merchant's accessdevice (e.g. POS equipment) that indicates approval of the transaction.The code may serve as proof of authorization. As noted above, in someembodiments, a payment processing network may generate or forward theauthorization response message to the merchant.

An “authorizing entity” may be an entity that authorizes a request.Examples of an authorizing entity may be an issuer, a governmentalagency, a document repository, an access administrator, etc.

A “code” may comprise any combination of letters, numbers and/or symbolsof any length used to protect access to a resource. Examples of codesinclude PIN numbers, passwords, access codes, keys, seeds, and the like.A code may be associated with a particular party. For example, a codeassociated with a sender may be referred to as a “sender code”, and/or acode associated with a recipient may be referred to as a “recipientcode”.

A “communication device” may comprise any suitable electronic devicethat may be operated by a user, which may also provide remotecommunication capabilities to a network. Examples of remotecommunication capabilities include using a mobile phone (wireless)network, wireless data network (e.g., 3G, 4G or similar networks),Wi-Fi, Wi-Max, or any other communication medium that may provide accessto a network such as the Internet or a private network. Examples ofcommunication devices include mobile phones (e.g., cellular phones),PDAs, tablet computers, net books, laptop computers, personal musicplayers, handheld specialized readers, watches, fitness bands, anklebracelets, rings, earrings, etc., as well as automobiles with remotecommunication capabilities. A communication device may comprise anysuitable hardware and software for performing such functions, and mayalso include multiple devices or components (e.g., when a device hasremote access to a network by tethering to another device—i.e., usingthe other device as a modem—both devices taken together may beconsidered a single communication device).

A “credential” may comprise any evidence of authority, rights, orentitlement to privileges. For example, access credentials may comprisepermissions to access certain tangible or intangible assets, such as abuilding or a file. In another example, payment credentials may includeany suitable information associated with and/or identifying an account(e.g., a payment account and/or a payment device associated with theaccount). Such information may be directly related to the account or maybe derived from information related to the account. Examples of accountinformation may include an “account identifier” such as a PAN (primaryaccount number or “account number”), a token, a subtoken, a gift cardnumber or code, a prepaid card number or code, a user name, anexpiration date, a CVV (card verification value), a dCVV (dynamic cardverification value), a CVV2 (card verification value 2), a CVC3 cardverification value, etc. An example of a PAN is a 16-digit number, suchas “4147 0900 0000 1234”. In some embodiments, credentials may beconsidered sensitive information.

A “digital wallet” can include an electronic application or device thatallows an individual to conduct electronic commerce transactions. Adigital wallet may store user profile information, payment credentials,bank account information, one or more digital wallet identifiers, and/orthe like, and can be used in a variety of transactions, such as but notlimited to eCommerce, social networks, money transfer/personal payments,mobile commerce, proximity payments, gaming, and/or the like for retailpurchases, digital goods purchases, utility payments, purchasing gamesor gaming credits from gaming websites or systems, transferring fundsbetween users, and/or the like. A digital wallet may be designed tostreamline the purchase and payment process. A digital wallet may allowthe user to load one or more payment cards onto the digital wallet so asto make a payment without having to enter an account number or present aphysical card. A digital wallet may also store transaction records(e.g., electronic receipts).

An “identifier” can include any combination of letters, numbers, symbolsand/or images identifying something. Certain identifiers may be used tocommunicate with a party. Examples of these identifiers include e-mailaddresses, website addresses, IP addresses, communication deviceidentifiers, phone numbers, physical addresses, and the like. Anidentifier may be associated with a party. For example, a “recipientidentifier” may be an identifier associated with a recipient (e.g., arecipient mobile phone number).

An “issuer” may typically refer to a business entity (e.g., a bank) thatmaintains an account for a user. An issuer may also issue paymentcredentials stored on communications devices.

“Provisioning” may include a process of providing data for use. Forexample, provisioning may include providing, delivering, or enabling atoken on a communication device. Provisioning may be completed by anyentity within or external to the transaction system. For example, insome embodiments, tokens may be provisioned by an issuer or atransaction processing network onto a mobile device. The provisionedtokens may have corresponding token data stored and maintained in atoken vault or token registry. In some embodiments, a token vault ortoken registry may generate a token that may then be provisioned ordelivered to a device. In some embodiments, an issuer may specify atoken range from which token generation and provisioning can occur.Further, in some embodiments, an issuer may generate and notify a tokenvault of a token value and provide the token record information (e.g.,token attributes) for storage in the token vault.

A “resource” may comprise any tangible or intangible asset. Examples ofresources include goods, services, money, information, buildings,houses, data, files, applications, and the like.

A “server computer” may include a powerful computer or cluster ofcomputers. For example, a server computer can be a large mainframe, aminicomputer cluster, or a group of servers functioning as a unit. Inone example, the server computer may be a database server coupled to aWeb server. The server computer may comprise one or more computationalapparatuses and may use any of a variety of computing structures,arrangements, and compilations for servicing the requests from one ormore client computers.

A “token” may include a substitute identifier for some information. Forexample, an access token may be a substitute or subordinate identifierfor an access credential. In another example, a payment token mayinclude an identifier for a payment account that is a substitute for anaccount identifier, such as a primary account number (PAN). Forinstance, a token may include a series of alphanumeric characters thatmay be used as a substitute for an original account identifier. Forexample, a token “4900 0000 0000 0001” may be used in place of a PAN“4147 0900 0000 1234.” In some embodiments, a token may be “formatpreserving” and may have a numeric format that conforms to the accountidentifiers used in existing payment processing networks (e.g., ISO 8583financial transaction message format). In some embodiments, a token maybe used in place of a PAN to initiate, authorize, settle or resolve apayment transaction. The token may also be used to represent theoriginal credential in other systems where the original credential wouldtypically be provided. In some embodiments, a token value may begenerated such that the recovery of the original PAN or other accountidentifier from the token value may not be computationally derived.Further, in some embodiments, the token format may be configured toallow the entity receiving the token to identify it as a token andrecognize the entity that issued the token.

I. Systems

Various systems may be used to implement the methods of transferringresource access described herein. FIG. 1 shows a block diagram of asystem 100 according to embodiments of the present invention. The system100 includes a sender communication device 120, a recipientcommunication device 160, an application provider computer 130, atransaction processing computer 140, a transport computer 180, anauthorizing entity computer 190, and an automated teller machine (ATM)170. Each of these systems and computers may be in operativecommunication with each other. In some embodiments, the sendercommunication device 120 may be operated by a sender 110, and therecipient communication device 160 may be operated by a recipient 150.

For simplicity of illustration, a certain number of components are shownin FIG. 1. It is understood, however, that embodiments of the inventionmay include more than one of each component. In addition, someembodiments of the invention may include fewer than or greater than allof the components shown in FIG. 1. In addition, the components in FIG. 1may communicate via any suitable communication medium (including theInternet), using any suitable communications protocol.

Sender 110 may operate sender communication device 120 to send a requestto transfer access to a resource from sender 110 to recipient 150 viarecipient communication device 160. Each of communication devices 120and 160 may be any device suitable to carry out transactions, such asfinancial transactions, or any other additional related actions. One orboth of communication device 120 and 160 may include a memory that maystore a digital wallet application or other payment application. Theapplication may be provisioned with account information (e.g., acredential or token) to enable each communication device to conducttransactions (e.g., sending and receiving money). Each of communicationdevice 120 and 160 may also include a secure element that can beimplemented in either hardware and/or software, which may storesensitive account or personal information. Communication devices 120 and160 may communicate over a communication network with one or moreentities, including application provider computer 130, transactionprocessing computer 140, and/or ATM 170.

The application provider computer 130 may be operated or associated withan application provider. The application provider may be an entity thatprovides an application to a communication device for use by a user(e.g., a sender or recipient). In some embodiments, the applicationprovider can be a digital wallet provider that provides a digital walletor payment application to a communication device. The applicationprovider computer 130 may maintain one or more digital wallets for eachuser, and each digital wallet may be associated with payment data forone or more payment accounts. Examples of digital wallets may includeVisa Checkout™ or Google™ Wallet, etc. In another embodiment, theapplication provider can be a money transfer provider that provides auser interface facilitating transfers of money between parties.

The application provider computer 130 may comprise a server computer tofacilitate the provisioning process. The server computer may include aprocessor and a computer readable medium coupled to the processor, thecomputer readable medium comprising code, executable by the processorfor performing the functionality described in further detail below. Theserver computer may send and receive over-the-air (OTA) messages to adigital wallet application stored on the communication device 120 or160.

The transaction processing computer 140 may be associated with one ormore payment service providers. The transaction processing computer 140may include any entity that provides provisioning services and/or thatinterfaces with an ATM 170, either directly or indirectly, to facilitatemoney transfers. The transaction processing computer 140, via aprovisioning service module, may provide provisioning services to theapplication provider computer 130, in which the application providercomputer 130 may utilize an application programming interface (API) tocommunicate with the transaction processing computer 140.

In some embodiments, the transaction processing computer 140 may includemodules that provide additional services, including but not limited to atoken generation module that can generate and/or provide a “paymenttoken” that is associated with sensitive data (e.g., accountinformation). For example, the token generation module may generate apayment token that can be used as a substitute for a real accountidentifier (e.g., a Primary Account Number (PAN) of an account), andmaintain a stored association (e.g., mapping) between the payment tokenand the PAN, such that a token exchange module is able to “translate”the payment token back to the original PAN. In some embodiments, thepayment token is mathematically derived from the original PAN. In otherembodiments, the payment token is randomly generated with respect to theoriginal PAN, and is simply linked to it in a data table. Regardless ofhow the payment token is generated from the PAN and vice versa, the useof a payment token instead of a real account identifier during atransaction can provide enhanced security. In some embodiments, thepayment token and/or information regarding the payment token may bestored in a token vault or database. These embodiments are described infurther detail herein, particularly with respect to FIG. 4.

The transaction processing computer 140 may comprise a server computer.The server computer may include a processor and a computer readablemedium coupled to the processor, the computer readable medium comprisingcode, executable by the processor, for performing the functionsdescribed herein.

The transport computer 180 is typically a system for an entity (e.g., abank) that has a business relationship with a particular entity (e.g., abank associated with, controlling, or maintaining a particular ATM 170).The transport computer 180 may generate and route an authorizationrequest message for a transaction (e.g., for a money withdrawal at ATM170) to the authorizing entity computer 190 via transaction processingcomputer 140. The transport computer 180 may comprise a server computer.The server computer may include a processor and a computer readablemedium coupled to the processor, the computer readable medium comprisingcode, executable by the processor, for performing the functionsdescribed herein.

In some embodiments, the authorizing entity computer 190 may communicatewith the transaction processing computer 140 to authorize transactions.The authorizing entity computer 190 is typically run by a businessentity (e.g., a bank) that may have issued the credential or paymenttokens used for the transactions (e.g., the money transfers). Somesystems can perform both authorizing entity computer 190 and transportcomputer 180 functions. When a transaction involves a credential (e.g.,a payment account) associated with the authorizing entity computer 190,the authorizing entity computer 190 may verify the account and respondwith an authorization response message to the transport computer 180 viathe transaction processing computer 140, that may be forwarded to thecorresponding recipient 150 and/or recipient communication device 160.The authorizing entity computer 190 may comprise a server computer. Theserver computer may include a processor and a computer readable mediumcoupled to the processor, the computer readable medium comprising code,executable by the processor, for performing the functions describedherein.

The transport computer 180, the transaction processing computer 140, andthe authorizing entity computer 190 are further configured to perform aclearing and settlement process at a later time after a transaction hasbeen completed (e.g., at the end of the day).

FIG. 2 shows a block diagram of a communication device 200 according toembodiments of the present invention. Communication device 200 may beused to implement sender communication device 120 and/or recipientcommunication device 160 of FIG. 1, for example. Communication device200 may include device hardware 204 coupled to a memory 202. Devicehardware 204 may include a processor 205, a communications subsystem209, and a user interface 206. In some embodiments, device hardware 204may include a display 207 (which can be part of user interface 206).Device hardware 204 may also include a contactless interface 208, forexample, in some embodiments in which communication device 200 is aportable communication device. Processor 205 can be implemented as oneor more integrated circuits (e.g., one or more single core or multicoremicroprocessors and/or microcontrollers), and is used to control theoperation of communication device 200. Processor 205 can execute avariety of programs in response to program code or computer-readablecode stored in memory 202, and can maintain multiple concurrentlyexecuting programs or processes. Communications subsystem 209 mayinclude one or more RF transceivers and/or connectors that can be usedby portable communication device 200 to communicate with other devicesand/or to connect with external networks. User interface 206 can includeany combination of input and output elements to allow a user to interactwith and invoke the functionalities of communication device 200. In someembodiments, user interface 206 may include a component such as display207 that can be used for both input and output functions.

Contactless interface 208 may include one or more specialized RFtransceivers (e.g., near field communication (NFC) transceivers) tointeract with a contactless reader of another device to conduct atransaction (e.g., money transfer, money withdrawal, paymenttransaction, access transaction, information exchange, etc.). Forexample, communication device 200 may utilize contactless interface 208to wirelessly communicate a credential or token and/or PIN number to anATM (e.g., ATM 170 of FIG. 1). In secure element based implementations,only a secure element (not shown) may have access to contactlessinterface 208. In some embodiments, contactless interface 208 can beaccessed by the mobile OS 220 using specialized card emulation APIs 222without requiring the use of a secure element.

Memory 202 can be implemented using any combination of any number ofnon-volatile memories (e.g., flash memory) and volatile memories (e.g.,DRAM, SRAM), or any other non-transitory storage medium, or acombination thereof media. Memory 202 may store an operating system (OS)220 and an application environment 210 where one or more applicationsreside including application 212 to be executed by processor 205. Insome embodiments, OS 220 may implement a set of card emulation APIs 222that can be invoked by application 212 to access contactless interface208 to interact with an access device.

Application 212 can include an application that uses, accesses, and/orstores sensitive information, credentials and/or tokens. For example,application 212 can include a digital wallet or payment application thatuses credentials to conduct transactions (e.g., money transfers orwithdrawals) via communication device 200. In some embodiments, accessto application 212 by a user can be protected by user authenticationdata such as a password, passcode, PIN, etc. For example, when a userattempts to launch or execute application 212, the user may be requestedto enter valid user authentication data before the user can accessapplication 212. Application 212 may include a download manager 218, atransfer initiation module 214, and a credential (e.g., token and/orpayment credentials) data store 216. In some embodiments, one or more ofthese components can be provided by another application or componentthat is not part of application 212.

Download manager 218 can be programmed to provide functionalities tocommunicate with an application provider associated with application 212to download information via the application provider. Download manager218 working in conjunction with the processor 205 may request orotherwise manage the acquisition and/or storage of credentials. Forexample, download manager 218 working in conjunction with the processor205 may request and/or obtain credentials via the application providerassociated with application 212, and store the credentials in credentialdata store 216. In another example, download manager 218 working inconjunction with the processor 205 may obtain tokens via a transactionprocessing computer, and store the tokens in credential data store 216.In some embodiments, the credentials and/or tokens can be received in anencrypted form. For example, the credentials can be encrypted with asession key generated by a server computer. Download manager 218 workingin conjunction with the processor 205 may also receive, from theapplication provider, the session key in an encrypted form, and storethe encrypted session key in credential data store 216.

In certain embodiments, application 212 may have a cryptography module(not shown) working on conjunction with the processor 205 to providecryptographic functionalities for application 212. For example, thecryptography module may implement and perform encryption/decryptionoperations for application 212 using encryption algorithms such as DES,AES, TDES, or the like, and/or hash functions such as SHA, or the like.For example, when application 212 accesses credential data store 216 toretrieve and use the credentials and/or tokens stored therein (e.g., toconduct a transaction, perform a money transfer, or request awithdrawal), application 212 may invoke the cryptography module todecrypt the session key that is used to encrypt the stored credentials,and then decrypt the credentials using the decrypted session key. Thedecrypted credentials and/or tokens can then be used by application 212.

In some embodiments (e.g., when communication device 200 is sendercommunication device 120 of FIG. 1), application 212 may further includea transfer initiation module 214. The transfer initiation module 214may, in conjunction with the processor 205, receive requests to initiatetransfers of money from a sender to a recipient. When initiated,application 212 may allow a sender to select a credential fromcredential data store 216 that will be used to transfer the money (or toadd a new credential to credential data store 216 that will be used totransfer the money), to enter a recipient identifier (e.g., a mobilephone number), and an amount for the transfer. Application 212 may thenuse communication subsystem 209 to communicate the request details to anapplication provider computer (e.g., application provider computer 130of FIG. 1).

FIG. 3 shows a block diagram of an application provider computer 300according to embodiments of the present invention. Application providercomputer may be implemented as application provider computer 130 of FIG.1, for example. Application provider computer 300 may be associated withan application provider, according to some embodiments. For example,application provider computer 300 can provide a software application orservices associated with the application for a communication device(e.g., application 212 of FIG. 2). Application provider computer 300 mayinclude a processor 301 coupled to a network interface 302 and acomputer readable medium 306. In some embodiments, application providercomputer 300 may also include a host security module (HSM) 320.Application provider computer 300 may also include or otherwise haveaccess to a database 303 that may be internal or external to serviceprovider computer 300.

Processor 301 may include one or more microprocessors to execute programcomponents for performing the transfer request functions 308 ofapplication provider computer 300. Network interface 302 can beconfigured to connect to one or more communication networks to allowapplication provider computer 300 to communicate with other entitiessuch as a communication device operated by a user, a server computer,etc. Computer readable medium 306 may include any combination of one ormore volatile and/or non-volatile memories, for example, RAM, DRAM,SRAM, ROM, flash, or any other suitable memory components. Computerreadable medium 306 may store code executable by the processor 301 forimplementing some or all of the transfer request functions 330 ofservice provider computer 300. For example, computer readable medium 306may include code implementing a registration module 310 and a transferrequest module 308. In some embodiments, application provider computer300 may also include a host security module (HSM) 320 to implement acryptography engine 322.

Registration module 310 may work in conjunction with the processor 301to register users with application provider computer 300. For example, auser can be registered with the application provider by providingregistration module 310 with user-identifying information to identifythe user, device information such as a device identifier associated withthe user's communication device on which an application associated withthe application provider is installed, account information such as anaccount identifier associated with the user's account, etc. In someembodiments, a user may set up user authentication data (e.g., password,passcode, PIN, etc.) using the registration module 310 and the processor301. The user authentication data can be used by application providercomputer 300 to authenticate the user when the application on the user'scommunication device communicates with service provider computer 300.Registration module 310 may work in conjunction with the processor 301to also allow a user to change or update the user authentication data.The registration information can be stored in a database 303. In someembodiments, the registration process can be carried out when the userfirst downloads the application for installation on the user'scommunication device, or when the user first launches and executes theapplication.

Transfer request module 308 is programmed to process requests for moneytransfers received from the application installed on a user'scommunication device. In some embodiments, upon receiving a request fromthe application on the user's communication device, transfer requestmodule 308 in conjunction with the processor 301 may authenticate theuser and/or the communication device by verifying the userauthentication data and device identifier of the communication deviceagainst the previously registered information stored in database 303.Transfer request module 308 working in conjunction with the processor301 may then forward the request for money transfer to a transactionprocessing computer (e.g., transaction processing computer 140 of FIG.1). The request may be treated as a request to generate a token and PINto be used in a withdrawal for a particular amount of money.

Cryptography engine 322 (which may work with a separate data processorin the HSM 320) may provide cryptographic functionalities forapplication provider computer 300. In some embodiments, cryptographyengine 322 can be implemented in HSM 320, which is a specializedhardware or isolated software component used to perform cryptographicoperations and manage cryptographic keys. Cryptography engine 322 may beprogrammed to implement and perform encryption/decryption operations forapplication provider computer 300 using encryption algorithms such assuch as AES, DES, TDES, or other suitable encryption algorithms usingcryptographic keys of any length (e.g., 56-bit, 128-bit, 169-bit,192-bit, 256-bit, etc.). In some embodiments, cryptography engine 322can also be programmed to perform hash calculations using hash functionssuch as secure hash algorithm (SHA), or the like. For example, whenapplication provider computer 300 receives a session key used forencrypting credentials from a server computer, application providercomputer 300 may invoke cryptography engine 322 to encrypt the sessionkey, such that session key can be provided to the application on thecommunication device in an encrypted form. In some embodiments, thesession key can be encrypted using a hash value that is computed overthe user authentication data associated with the user requesting thecredential.

FIG. 4 shows a block diagram of a transaction processing computer 400according to embodiments of the present invention. Transactionprocessing computer 400 may be used to implement transaction processingcomputer 140 of FIG. 1, for example, and may include a token serverand/or PIN server. Transaction processing computer 400 may include aprocessor 401 coupled to a network interface 402 and a computer readablemedium 406. In some embodiments, transaction processing computer 400 mayalso include a host security module (HSM) 420. Transaction processingcomputer 400 may also include a credential, token and/or PIN registrythat may be internal or external to server computer 400.

Processor 401 may include one or more microprocessors to execute programcomponents for performing the transfer management functions 430 oftransaction processing computer 400. Network interface 402 may beconfigured to connect to one or more communication networks to allowtransaction processing computer 400 to communicate with other entitiessuch as a communication device operated by a user, an applicationprovider computer or a transfer request computer, resource providercomputer (e.g., merchant computer), transport computer (e.g., acquirercomputer), authorizing entity computer (e.g., issuer computer), etc.Computer readable medium 406 may include any combination of one or morevolatile and/or non-volatile memories, for example, RAM, DRAM, SRAM,ROM, flash, or any other suitable memory components. Computer readablemedium 406 may store code executable by the processor 401 forimplementing some or all of the transfer management functions 430 oftransaction processing computer 400 described herein. For example,computer readable medium 406 may include a requestor registration module408, a user registration module 410, a token generation module 412, averification and authentication module 414, a token exchange and routingmodule 416, a token lifecycle management module 418, a code generationmodule 417, and/or a code translation module 419.

Requestor registration module 408 may, in conjunction with the processor401, register a token requestor entity (e.g., application provider) withthe token database 403, and to generate a token requestor identifier(ID) for the registered entity. Each registered entity can use theirrespective token requestor ID as part of a token service request tofacilitate identification and validation of the entity. In someembodiments, a token requestor entity may provide token requestorinformation to the requestor registration module 408 such as an entityname, contact information, an entity type (e.g., merchant, walletprovider, payment service provider, issuer, payment enabler, acquirer,etc.). In some embodiments in which the token is transaction related,the token requestor information may also include token presentment modes(e.g., scan, contactless, e-commerce, etc.), token type (e.g.,static/dynamic, payment/non-payment, etc.), integration and connectivityparameters, and services subscribed (e.g., token request, authenticationand verification, lifecycle management, etc.) and any other relevantinformation for the onboarding process.

User registration module 410 may, in conjunction with the processor 401,perform registration of users and accounts of the users. In someembodiments, transaction processing computer 400 may allow authorizedentities to register consumer accounts (e.g., payment or financialaccounts, tokens, etc.) with the network credential system on behalf ofthe users. For example, a registered token requestor may provide a tokenrequestor ID (e.g., received at the time of registration from therequestor registration module 408), an account identifier or othersensitive information or sensitive information identifier for which atoken can substitute, a consumer name and contact information, deviceidentifier of the consumer's communication device, a token type, and anyother relevant information for individual account registration or bulkaccount registration. In some embodiments, user registration module 410working in conjunction with the processor 401 may store the accountdetails and sensitive information in token database 403 for allsuccessful activation and registration requests. In some embodiment, anauthorized entity may also unregister users and accounts by providingthe necessary information to transaction processing computer 400.

Token generation module 412 can be programmed to generate a token orretrieve sensitive information in response to processing a request for atoken (e.g., initiated by a request to transfer money) from a tokenrequestor (e.g., an application provider). In some embodiments, tokengeneration module 412 may be programmed to receive a token requestor IDand an account identifier or sensitive information identifier. In someembodiments, token generation module 412 may also be programmed toreceive optional information such as a user name, a user address and zipcode, a requested token or sensitive information type (e.g., static,dynamic, non-payment, etc.), device identifier, and/or suitableinformation. In some embodiments, token generation module 412 may beprogrammed to generate a response with the requested token or requestedsensitive information, a token expiration date associated with thetoken, and/or a token assurance level associated with the token. In someembodiments, token generation module 412 may be programmed to validatethe token requestor ID and maintain the correlation between the token,the sensitive information or credential being substituted by the token,and the associated token requestor. In some embodiments, tokengeneration module 412 may be programmed to determine if a token alreadyexists in the token registry for a token request before generating a newtoken. In some embodiments, if a token cannot be provisioned, the tokenresponse may include a corresponding reason code. In some embodiments,token generation module 412 may also be programmed to provide aninterface to the token requestors to submit a bulk token request file.

In some embodiments, the token may be generated on the fly using APIcalls. For example, when a request is received to tokenize a credentialor other sensitive information, token generation module 412 maydetermine a token range to assign the token. The token range may beassigned based on whether the issuer is provisioning the token (e.g.,issuer assigned token range) or the transaction processing network isprovisioning the token on behalf of the issuer (e.g., transactionprocessing network assigned token range). As an example, if thetransaction processing network assigned token range includes“442400000-442400250,” then “4424000000005382” may be assigned as atoken value. The database 403 may store the relationship of the tokenrange to the credential, and a token add record may be logged. In someembodiments, token generation module 412 may consider the token rangelist associated with the account identifier range before assigning atoken.

Verification and authentication module 414 may, in conjunction with theprocessor 401, execute a consumer verification and authenticationprocess, and determine a token assurance level based on the outcome ofthe verification and authentication process. For example, theverification and authentication module 414, working in conjunction withthe processor 401, can perform consumer authentication and verificationthrough a configured authentication scheme. In some embodiments, theauthentication scheme may include verification of the credential,verification values, the expiration date, and/or a delivery channelidentifier based on the customer information stored in a databaseassociated with the transaction processing network. In some embodiments,the authentication scheme may include direct verification of theconsumer by the issuer using consumer credentials for their onlinebanking system.

In some embodiments, user registration, token generation, andverification and authentication may be performed as part of processing asingle token request process. In some embodiments, for bulk requests,user registration and token generation may be performed by processing abulk file from the token requestor. In such embodiments, consumerverification and authentication may be performed in a separate step. Insome embodiments, the token requestor can request that theauthentication and verification process be performed independentlymultiple times for a particular account to reflect any changes to thelevels of assurance for the token over time.

Token exchange and routing module 416 may, in conjunction with theprocessor 401, process requests for any underlying sensitive information(e.g., a credential) associated with a given token. For example, atransaction processing network, acquirer, issuer, etc. may issue arequest for a token exchange during processing of a transaction. Tokenexchange and routing module 416 may, in conjunction with the processor401, validate that the requesting entity is entitled to make a requestfor a token exchange. In some embodiments, token exchange and routingmodule 416 may, in conjunction with the processor 401, validate thecredential (or other sensitive information) to token mapping andpresentment mode based on the transaction timestamp and the tokenexpiration timestamp. Token exchange and routing module 416 may, inconjunction with the processor 401, retrieve the credential (or othersensitive information) from database 403, and provide it along with theassurance level to the requesting entity. In some embodiments, if thecredential (or other sensitive information) to token mapping is notvalid for the transaction timestamp and presentment mode, an errormessage may be provided.

Token lifecycle management module 418 may, in conjunction with theprocessor 401, perform lifecycle operations on the tokens managed bytransaction processing computer 400. Lifecycle operations may includecanceling a token, activating or deactivating a token, updating tokenattributes, renewing token with a new expiration date, etc. In someembodiments, a token requestor entity may provide a token requestor ID,a token number, a lifecycle operation identifier and one or more tokenattributes to transaction processing computer 400 to perform therequested lifecycle operation on a given token. Token life-cyclemanagement module 418 may verify the token requestor ID and the tokenassociation based on information in database 403. Token lifecyclemanagement module 418 may, in conjunction with the processor 401,perform the requested lifecycle operation on a given token, and updatethe corresponding associations in database 403. Examples of lifecycleoperation may include a token activation operation to activate aninactive, suspended, or temporarily locked token and its associations; atoken deactivation operation to temporarily lock or suspend a token; acancel token operation to permanently mark a token and its associationsas deleted to prevent any future transactions, etc. In some embodiments,a deleted token may be used during returns/chargebacks if the same tokenwas used to submit the corresponding original transactions.

Code generation module 417 can be programmed to generate a code (e.g., arecipient PIN number) in response to processing a request to transfermoney to a recipient received from an application provider. Codegeneration module 417 may, in conjunction with processor 401, generate arecipient code using a sender code associated with the credential usedin the request. The sender code may be received with the request totransfer money, or may be requested from an authorizing entity computerassociated with the credential. In one embodiment, the recipient code tobe generated is specified by the request. The recipient code and sendercode can then be stored in association in database 403 (e.g., in alook-up table), along with the credential and its associated token. Therecipient code may be generated with particular limitations orconditions (e.g., one time use, limited time use, etc.).

In some embodiments, code generation module 417 may be programmed togenerate a response with the requested code, and/or a code expirationdate or number of uses associated with the code. In some embodiments,code generation module 417 may be programmed to determine if a codealready exists in the database for a transfer request before generatinga new code. In some embodiments, if a code cannot be generated, the coderesponse may include a corresponding reason code. In some embodiments,the code may be generated on the fly using API calls.

Code translation module 419 may, in conjunction with the processor 401,process requests for an underlying code (e.g., a sender code) associatedwith a given recipient code. For example, an ATM, transport computer,authorizing entity computer, etc. may issue a request for a codeexchange during processing of a transaction. Code translation module 419may, in conjunction with the processor 401, validate that the requestingentity is entitled to make a request for a code translation. Codetranslation module 419 may, in conjunction with the processor 401,retrieve the sender code from database 403 (e.g., using a look-uptable), and provide it to the requesting entity. In some embodiments, ifthe recipient code to sender code mapping is not valid for a particulartimestamp or transaction count, an error message may be provided.

Transaction processing computer 400 may include any of a number ofadditional modules for also processing payment transactions between aresource provider and a consumer, for example. In one embodiment,transaction processing computer 400 further includes a communicationsmodule, a database look-up module, a database update module, a reportgeneration module, an authorization module, a settlement module, and/oran authorization database (not shown).

The communications module may be configured or programmed to receive andgenerate electronic messages comprising information transmitted throughthe transaction processing computer 400, in conjunction with theprocessor 401. When an electronic message is received by the transactionprocessing computer 400 via network interface 402, it may be passed tothe communications module. The communications module may identify andparse the relevant data based on a particular messaging protocol used inthe transaction processing computer 400 in conjunction with theprocessor 401. The received information may comprise, for instance,identification information, transaction information, and/or any otherinformation that the transaction processing computer 400 may utilize inauthorizing a financial transaction or performing a settlement andclearing procedure. The communication module may then transmit anyreceived information to an appropriate module within the transactionprocessing computer 400, in conjunction with the processor 401. Thecommunication module may also receive information from one or more ofthe modules in transaction processing computer 400 and generate anelectronic message in an appropriate data format in conformance with atransmission protocol used in the transaction processing system so thatthe message may be sent to one or more components within the system 100of FIG. 1, for example. The electronic message may then be passed to thenetwork interface 402 for transmission. The electronic message may, forexample, comprise an authorization response message or may be anauthorization request message, for example.

The database look-up module may be programmed or configured to performsome or all of the functionality associated with retrieving informationfrom one or more databases, in conjunction with the processor 401. Inthis regard, the database look-up module may receive requests from oneor more of the modules of transaction processing computer 400 forinformation that may be stored in one or more of the databases. Thedatabase look-up module may then determine and a query an appropriatedatabase, in conjunction with the processor 401. The database updatemodule may be programmed or configured to maintain and update thedatabases, such as authorization database. In this regard, the databaseupdate module may receive information about a user, financialinstitution, a payment device, and/or current or past transactioninformation from one of the modules discussed herein. This informationmay then be stored in the appropriate location in the database using anysuitable storage process.

The report generation module may be programmed or configured to performsome or all of the functionality associated with generating a reportregarding a user, an account, a transaction or transactions, or anyother entity or category of information with regard to the transactionprocessing computer 400, in conjunction with the processor 401. This mayinclude, for instance, identifying patterns (such as patterns thatindicate a fraudulent transaction or transactions) and generating one ormore alerts that may be sent (e.g. via the communications module andnetwork interface 402) to one or more entities in the system (e.g.,system 100 of FIG. 1), including a user, a resource provider, or anauthorizing entity. The report generation module may also, for example,request information from one or more of the databases via the databaselook-up module, in conjunction with the processor 401.

The authorization module may be configured or programmed to perform someor all the functionality associated with authorizing a financialtransaction associated with an authorization request message, inconjunction with the processor 401. The authorization request messagemay be generated by a resource provider computer and may be associatedwith a transaction involving a credential or token. The authorizationrequest message may include any suitable information that may be used toauthorize or identify the transaction, and may be generated by theresource provider computer in response to an interaction between acredential or a communication device and an access device associatedwith the resource provider computer. The authorization module may, forinstance, be programmed or configured to compare the informationreceived via the authorization request message with stored informationat the transaction processing computer 400 (such as comprisingverification values). In some embodiments, if the received and storedvalues match, the authorization module may authorize the transaction (ormay be more likely to authorize the transaction) and may instruct thecommunication module to generate an authorization response message, inconjunction with the processor 401. The authorization module may also beprogrammed or configured to execute any further operations associatedwith a typical authorization.

The transaction processing computer may include one or more additionaldatabases as well, such as an authorization database. The authorizationdatabase may contain information related to a credential or token, aswell as any other suitable information (such as transaction information)associated with the credential or token. For example, the authorizationdatabase may comprise a relational database having a plurality ofassociated fields, including a primary account identifier (e.g., a PAN),an authorizing entity associated with the account, expiration date of aparticular credential or token, verification value(s), an amountauthorized for a transaction, a user name, user contact information,prior transaction data, etc. In some embodiments, the authorizationmodule may utilize some or all of the information stored in theauthorization database when authorizing a transaction.

According to some embodiments, transaction processing computer 400 mayinclude an HSM 420 to perform secure functions such as encryption anddecryption operations and generation of cryptographic keys used for theencryption and decryption operations. For example, HSM 420 may include acryptography engine 422 to execute encryption algorithms such as AES,DES, TDES, or other suitable encryption algorithms using cryptographickeys of any length (e.g., 56-bit, 128-bit, 169-bit, 192-bit, 256-bit,etc.). HSM 420 may also implement a session key generator 424 togenerate a session key for each token request that transactionprocessing computer 400 processes. The generated session key can be usedto encrypt a token generated or retrieved for the request, and the tokencan be provided to the token requestor in an encrypted form. Forexample, for each request that transaction processing computer 400receives and processes, session key generator 424 may generate a sessionkey that can be unique for each request received from the particulartoken requestor, or unique to each request associate with a particularuser or account. In some embodiments, the session key can be the same ordifferent than the encryption key that is used to establish the securecommunication channel (e.g., TLS, SSL, etc.) between the token requestorand transaction processing computer 400. Token generation module 412may, in conjunction with the processor 401, generate or otherwiseretrieve a token to fulfill the request. The session key can be used bycryptography engine 422 and the processor 401 to encrypt that tokenusing an encryption algorithm, and the encrypted token can be providedto the token requestor. In some embodiments, the generated session keyis also provided to the token requestor with the encrypted token.

Although transaction processing computer 400 and application providercomputer 300 have been described with a HSM implementing only some oftheir functions, it should be understood that other functionalities ofthe respective computers (e.g., token generation) can be implementedinside an HSM as well. Furthermore, some or all of the respective HSMfunctionalities can also be implemented outside of a HSM.

II. Methods

A method according to embodiments of the invention can be described withrespect to FIG. 5, which shows a flowchart of a method for transferringresource access. FIG. 5 includes sender communication device 120,application provider computer 130, transaction processing computer 140,recipient communication device 160, ATM 170, transport computer 180, andauthorizing entity computer 190, all corresponding to the similarlynumbered entities described with respect to FIG. 1.

Optionally, prior to the steps illustrated in FIG. 5, the sendercommunication device 120 performs an initial registration withapplication provider computer 130. The initial registration may includeproviding a credential (e.g., a debit account number) to the applicationprovider computer 130. The application provider computer 130 may providethis credential to the transaction processing computer 140 forregistration with the transaction processing computer 140. Thetransaction processing computer 140 can then store this credential onfile for later use in money transfers.

At step S505, the sender communication device 120 sends a request totransfer money to a recipient to an application provider computer 130.The request includes a credential (e.g., a debit account number)associated with the sender and a recipient identifier (e.g., a recipientmobile phone number). The credential is associated with a sender code(e.g., a sender PIN number associated with the debit account), which canbe included in the request, or could have been previously provided tothe application provider computer 130 and/or the transaction processingcomputer 140 as part of an initial registration process. The request mayfurther specify an amount for the money transfer.

At step S510, the application provider computer 130 forwards therequest, including all accompanying information, to the transactionprocessing computer 140. At step S515, the transaction processingcomputer 140 receives the request, and generates a token correspondingto the credential and a recipient code associated with the sender code.In one embodiment, the recipient code is specified in the request (e.g.,by the sender). In another embodiment, the recipient code is generatedrandomly. The token, credential, sender code, and recipient code may allbe stored in association at the transaction processing computer 140.

The token and recipient code may be generated as subject to one or moreconditions in one embodiment. The conditions may be specified by thesender in the request (or in the initial registration process), or maybe requirements of the application provider computer 130 and/or thetransaction processing computer 140. For example, the token and/orrecipient code may be for one-time use (i.e., valid for only onewithdrawal), limited-time use (i.e., valid for only a certain number ofwithdrawals, valid for only a certain amount of time, etc.), and/orvalid at only certain locations (e.g., certain banks' ATMs, certainparticular ATMs, certain geographic locations, etc.). If theseconditions are not met, the withdrawal may be denied and/or the tokenand/or recipient code may be marked expired or invalid.

At step S520, the transaction processing computer 140 sends the tokenand the recipient code to the recipient using the recipient identifier.This message may further include any other relevant information aboutthe money transfer, such as the amount, a sender identifier (e.g., asender's name), and/or any conditions placed on the token and/orrecipient code. The recipient identifier may dictate how the token andthe recipient code are sent to the recipient. For example, if therequest specified a mobile phone number as the recipient identifier, thetoken and the recipient code may be sent the recipient via the mobilephone (e.g., by text message or voice call), such as is shown in FIG. 5.However, in other embodiments, if the request specified an e-mailaddress as the recipient identifier, the token and the recipient codemay be sent to the recipient by e-mail. Further, if the requestspecified a home address as the recipient identifier, the token and therecipient code may be sent by mail. In one embodiment, if received onrecipient communication device 160, the token and/or PIN may beprovisioned onto recipient communication device 160. In such anembodiment, the token and/or PIN may be used for a contactlesswithdrawal at ATM 170, as described further herein. In one embodiment,the sender can cancel the transfer to the recipient at any point up tostep S520, invalidating the token and/or the recipient code.

At step S525, the recipient communication device 160 communicates withthe ATM 170 to request withdrawal of the money. The request includes thetoken and the recipient code received by the recipient at step S525.Optionally, the request includes an amount of money for the withdrawalas well. The amount of money may be the entire amount of money specifiedby the sender, or may be a portion of the money. In one embodiment inwhich only a portion of the money is requested to be withdrawn, thetoken and/or recipient code may be used more than once by the recipientuntil the entire amount of money is withdrawn.

In other embodiments, the entire amount of money specified by thesender's request will be provided to the recipient in the withdrawal,without input from the recipient. As such, an amount of money need notbe provided by the recipient in those embodiments. Instead, the entireamount of money will be specified by the transaction processing computer140 before sending the authorization request message to the issuer.

Communication between the recipient communication device 160 and the ATM170 may be wired or wireless, or direct or indirect. For example, in oneembodiment, the recipient may plug the recipient communication device160 into the ATM 170 to transfer the token and/or the recipient code. Inanother example, the recipient may transfer the token and/or therecipient code to the ATM 170 from the recipient communication device160 by WiFi, a cellular network, or NFC (e.g., using a contactlesschip). In still another example, the recipient may read the token and/orthe recipient code from the recipient communication device 160 (or anyother medium for hosting the information) and manually enter it into theATM 170. This is advantageous in that recipient communication device 160need not have contactless communication capabilities, and/or need nothave WiFi, cellular coverage, or particular wires, in order to requestthe withdrawal.

At step S530, the ATM 170 receives the token and the recipient code,adds transaction details (e.g., currency) and business environmentdetails (e.g., ATM identifier, date of transaction, time of transaction,etc.), and generates a payment message with the information. The ATM 170may encrypt the recipient code before including it in the paymentmessage in one embodiment.

At step S535, the ATM 170 sends the payment message to the transportcomputer 180. The transport computer 180 may be associated with a bankthat is controlling or maintaining the ATM 170. At step S540, thetransport computer 180 generates an authorization request message fromthe payment message. At step S545, the transport computer 180 sends theauthorization request message to the transaction processing computer.

At step S550, the transaction processing computer 140 receives theauthorization request message, including the token and the recipientcode, and optionally determines whether the conditions specified for thetoken and/or the recipient code have been met. If they have been met,the transaction processing computer 140 translates the token into thecredential and the recipient code into the sender code. For example, thetoken provided by the recipient may be translated into the sender'sdebit account number, and the PIN number provided by the recipient maybe translated into the sender's PIN number. This information was allstored in association with each other at step S515 by the transactionprocessing computer 140, allowing for quick translation (e.g., retrievalfrom a look-up table). The transaction processing computer 140 may thenupdate the authorization request message to include the credential andthe sender code.

Translation of the token into the credential and the recipient code intothe sender code in this manner provides numerous advantages. Forexample, a resource can be transferred from a sender to a recipientwhile still providing security for the sender's sensitive credentialinformation (e.g., PAN and/or PIN). In the financial context, a new PANor new PIN directly associated with the account does not need to begenerated to allow a recipient to quickly and directly obtain money fromany ATM location associated with any bank and at any time of the day,even without a bank account. Further, the request may be processed as astandard ATM withdrawal from the sender's account, even though the tokenand recipient code are not directly linked to the sender's account.

The authorization request message may be handled as a typical ATMwithdrawal request. At step S555, the transaction processing computer140 determines the authorizing entity associated with the credential,and forwards the authorization request message including the credential,the sender code and the amount to the authorizing entity computer 190associated with the proper authorizing entity. At step S560, theauthorizing entity computer 190 determines whether there are enoughfunds in the account associated with the credential to perform thewithdrawal, verifies the sender code, and generates an authorizationresponse message approving or declining the withdrawal.

At step S565, the authorizing entity computer 190 sends theauthorization response message to the transaction processing computer140. In one embodiment in which the conditions on the token and/orrecipient code specify that either or both are for one-time use, thetransaction processing computer 140 may retrieve and invalidate thetoken and/or recipient code if the authorization response messageindicates that the withdrawal is approved. Thus, if another request towithdraw money using the token and/or recipient code is received at thetransaction processing computer 140, the transaction processing computer140 may decline the request. In another embodiment in which theconditions on the token and/or recipient code specify that either orboth are for limited-time use (e.g., three-time use), the transactionprocessing computer 140 may increment a counter associated with thetoken and/or recipient code, such that when the maximum number of usesis reached, the token and/or recipient code may be invalidated.

At step S570, the transaction processing computer 140 sends theauthorization response message to the transport computer 180. At stepS575, the transport computer 180 instructions the ATM 170 to eitherprovide the requested money or the decline the transaction based on theauthorization response message. If the withdrawal is approved, the ATM170 provides the requested money to the recipient associated withrecipient communication device 160.

At a later point in time (e.g., at the end of the day), a clearing andsettlement process can be conducted between the transaction processingcomputer 140, the authorizing entity computer 190, and the transportcomputer 180 associated with ATM 170. The ATM 170 may first provide afile with the token and the associated transaction data (e.g., theamount) to the transport computer 180. The transport computer 180 maythen transmit any clearing and settlement messages to the transactionprocessing computer 140 using the token. The token may then be convertedto the credential as described above to facilitate the exchange ofmessages and the transfer of funds between the transport computer 180and the authorizing entity computer 190.

Generating a token associated with a credential and a recipient codeassociated with a sender code in order to transfer resource access canbe applied outside of financial transaction contexts as well. Forexample, embodiments of the invention may be utilized to designatecertain access privileges to a recipient who may provide a token andrecipient code in order to be granted access. For example, FIG. 6 showsa block diagram of a building access system according to embodiments ofthe invention.

A sender 610 operates a sender communication device 620 having acredential (e.g., access rights) associated with a sender code securingthe access rights. Sender 610 may request that a subset of his or heraccess rights be provided to recipient 650 via recipient communicationdevice 660. The request may include a recipient identifier (e.g., amobile phone number) associated with recipient 650. Recipient 650 mayreceive a token corresponding to the credential and a recipient codeassociated with the sender code, e.g. on recipient communication device660, and provision them to the recipient communication device 660.

Thereafter, both sender communication device 620 and recipientcommunication device 660 can interact with access device 685 and passtheir respective credentials (credential and sender code, with respectto sender communication device 620; and token and recipient code, withrespect to recipient communication device 660) to access device 685. Theaccess device 685 may locally analyze the credentials to determinewhether access should be granted to building 690, or it may communicatewith a remotely located server computer (not shown). The remotelylocated server computer may analyze the security notification data todetermine whether access should be granted to building 690, and maytransmit a signal indicating this back to the access device 685. Theaccess device 685 may then proceed to allow or deny access by the sender610 and/or the recipient 650 to the building 690, in accordance with therespective data elements.

Embodiments of the invention provide a number of advantages. Because therecipient is only provided with a token corresponding to a credentialand a recipient code corresponding to a sender code, security ismaintained for the sender's sensitive information (e.g., PAN and PINnumber). Further, because the token and recipient code can be used onlyunder certain conditions in some embodiments (e.g., a location at whichthe money may be withdrawn, a certain number of uses, etc.), thelikelihood of fraudulent use of the token and recipient code arereduced. In addition, because the recipient code is not directly tied tothe credential, risk of fraud is further limited.

Further, these systems and methods can allow a sender to convenientlytransfer resource access from any location and at any time of the day.In the case of money transfers, the recipient can quickly and directlyobtain the money (e.g., without having to go through a bank account)from any ATM location associated with any bank and at any time of theday, even without having a bank account at that bank, the sender's bank,or any other bank. In addition, the sender need only know how to getinto contact with the recipient (i.e., have a recipient identifier) inorder to transfer resource access to a recipient. Sensitive recipientinformation (e.g., an account number) is not needed.

From an implementation standpoint, no infrastructure changes are neededfor the transport computer and/or the authorizing entity computer toimplement the systems and methods described herein. Although the processbegins as a push transaction (i.e., a sender pushing a payment to arecipient), it is ultimately processed as a traditional ATM pulltransaction with which the transport computer and the authorizing entitycomputer already know how to process. To the transport computer and theauthorizing entity computer, it appears that the recipient is simplywithdrawing money from his or her own bank account.

A computer system may be used to implement any of the entities orcomponents described above. The subsystems of the computer system may beinterconnected via a system bus. Additional subsystems such as aprinter, keyboard, fixed disk (or other memory comprising computerreadable media), monitor, which is coupled to display adapter, andothers may be used. Peripherals and input/output (I/O) devices, whichcouple to an I/O controller (which can be a processor or other suitablecontroller), can be connected to the computer system by any number ofmeans known in the art, such as a serial port. For example, a serialport or external interface can be used to connect the computer apparatusto a wide area network such as the Internet, a mouse input device, or ascanner. The interconnection via system bus allows the central processorto communicate with each subsystem and to control the execution ofinstructions from system memory or the fixed disk, as well as theexchange of information between subsystems. The system memory and/or thefixed disk may embody a computer readable medium. In some embodiments,the monitor may be a touch sensitive display screen.

A computer system can include a plurality of the same components orsubsystems, e.g., connected together by an external interface or by aninternal interface. In some embodiments, computer systems, subsystem, orapparatuses can communicate over a network. In such instances, onecomputer can be considered a client and another computer a server, whereeach can be part of a same computer system. A client and a server caneach include multiple systems, subsystems, or components.

It should be understood that any of the embodiments of the presentinvention can be implemented in the form of control logic using hardware(e.g. an application specific integrated circuit or field programmablegate array) and/or using computer software with a generally programmableprocessor in a modular or integrated manner. As used herein, a processorincludes a single-core processor, multi-core processor on a sameintegrated chip, or multiple processing units on a single circuit boardor networked. Based on the disclosure and teachings provided herein, aperson of ordinary skill in the art will know and appreciate other waysand/or methods to implement embodiments of the present invention usinghardware and a combination of hardware and software.

Any of the software components or functions described in thisapplication may be implemented as software code to be executed by aprocessor using any suitable computer language such as, for example,Java, C, C++, C#, Objective-C, Swift, or scripting language such as Perlor Python using, for example, conventional or object-orientedtechniques. The software code may be stored as a series of instructionsor commands on a computer readable medium for storage and/ortransmission, suitable media include random access memory (RAM), a readonly memory (ROM), a magnetic medium such as a hard-drive or a floppydisk, or an optical medium such as a compact disk (CD) or DVD (digitalversatile disk), flash memory, and the like. The computer readablemedium may be any combination of such storage or transmission devices.

Such programs may also be encoded and transmitted using carrier signalsadapted for transmission via wired, optical, and/or wireless networksconforming to a variety of protocols, including the Internet. As such, acomputer readable medium according to an embodiment of the presentinvention may be created using a data signal encoded with such programs.Computer readable media encoded with the program code may be packagedwith a compatible device or provided separately from other devices(e.g., via Internet download). Any such computer readable medium mayreside on or within a single computer product (e.g. a hard drive, a CD,or an entire computer system), and may be present on or within differentcomputer products within a system or network. A computer system mayinclude a monitor, printer, or other suitable display for providing anyof the results mentioned herein to a user.

The above description is illustrative and is not restrictive. Manyvariations of the invention will become apparent to those skilled in theart upon review of the disclosure. The scope of the invention should,therefore, be determined not with reference to the above description,but instead should be determined with reference to the pending claimsalong with their full scope or equivalents. For example, althoughspecific functions and methods have been described with respect totransaction processing computer 120 in FIG. 6, such functions could beperformed by other computers such as the authorizing entity computer140.

One or more features from any embodiment may be combined with one ormore features of any other embodiment without departing from the scopeof the invention.

A recitation of “a”, “an” or “the” is intended to mean “one or more”unless specifically indicated to the contrary.

All patents, patent applications, publications, and descriptionsmentioned above are herein incorporated by reference in their entiretyfor all purposes. None is admitted to be prior art.

What is claimed:
 1. A method comprising: obtaining, by a servercomputer, a token corresponding to an account identifier and a recipientcode associated with a sender code, the account identifier and thesender code associated with a sender, and the token and the recipientcode capable of being used at only at a specific terminal; sending, bythe server computer, the token and the recipient code to a recipientusing a recipient identifier; receiving, by the server computer, arequest to access a resource, the request including the token and therecipient code, from the specific terminal; translating, by the servercomputer, the token into the account identifier and the recipient codeinto the sender code; and processing, by the server computer, therequest using the account identifier and the sender code.
 2. The methodof claim 1, further comprising: after processing the request,invalidating the token and the recipient code.
 3. The method of claim 2,further comprising: after invalidating the token and the recipient code,receiving another request to access the resource, the another requestincluding the token and the recipient code; and declining the anotherrequest.
 4. The method of claim 1, wherein the recipient code isgenerated after being selected by the sender.
 5. The method of claim 1,wherein the recipient identifier is associated with a mobile device ofthe recipient.
 6. The method of claim 5, further comprising:provisioning the mobile device of the recipient with the token.
 7. Themethod of claim 1, wherein the request is a second request, and theserver computer receives a first request which specifies at least onecondition under which the second request must be received.
 8. The methodof claim 7, wherein the at least one condition comprises at least one ofa maximum duration of time between receiving the first request andreceiving the second request, and a location associated with the secondrequest.
 9. The method of claim 8, further comprising: receiving a thirdrequest to access a second portion of the resource, the third requestincluding the token and the recipient code; translating, by the servercomputer, the token into the account identifier and the recipient codeinto the sender code; and processing, by the server computer, the thirdrequest using the account identifier and the sender code.
 10. The methodof claim 1, wherein the specific terminal is a specific ATM.
 11. Themethod of claim 1, wherein at least one of the sender code and therecipient code is a PIN number.
 12. A server computer comprising: aprocessor; and a memory element comprising code, executable by theprocessor, for implementing a method comprising: obtaining a tokencorresponding to an account identifier and a recipient code associatedwith a sender code, the account identifier and the sender codeassociated with a sender, and the token and the recipient code capableof being used at only at a specific terminal; sending the token and therecipient code to a recipient using a recipient identifier; receiving arequest to access a resource, the request including the token and therecipient code, from the specific terminal; translating the token intothe account identifier and the recipient code into the sender code; andprocessing the request using the account identifier and the sender code.13. The server computer of claim 12, the method further comprising:after processing the request, invalidating the token and the recipientcode.
 14. The server computer of claim 13, the method furthercomprising: after invalidating the token and the recipient code,receiving another request to access the resource, the another requestincluding the token and the recipient code; and declining the anotherrequest.
 15. The server computer of claim 12, wherein the recipient codeis generated after being selected by the sender.
 16. The server computerof claim 12, wherein the recipient identifier is associated with amobile device of the recipient.
 17. The server computer of claim 16, themethod further comprising: provisioning the mobile device of therecipient with the token.
 18. The server computer of claim 12, whereinthe request is a second request, and wherein the method furthercomprises: receiving a first request, wherein the first requestspecifies at least one condition under which the second request must bereceived.
 19. A system comprising: a server computer comprising aprocessor, and a memory element comprising code, executable by theprocessor, for implementing a method comprising obtaining a tokencorresponding to an account identifier and a recipient code associatedwith a sender code, the account identifier and the sender codeassociated with a sender, and the token and the recipient code capableof being used at only at a specific terminal, sending the token and therecipient code to a recipient using a recipient identifier, receiving arequest to access a resource, the request including the token and therecipient code, from the specific terminal, translating the token intothe account identifier and the recipient code into the sender code, andprocessing the request using the account identifier and the sender code;and the specific terminal in communication with the server computer. 20.The system of claim 19, wherein the specific terminal is an ATM.